Elliptic Curve performance: NIST vs Brainpool

Introduction

Usage of different elliptic curves has a high impact on the performance of ECDSA / ECDHE / ECDH operations. Each type of curve was designed with a different primary goal in mind. And these have their reflection in the performance of the specific curves.

The following numbers, measured with mbed TLS 2.0 on a 2 GHz Core i7, are only indicative of the relative speed of the various curves. Of course the absolute value will depend on your platform. Also, these numbers use the default settings for speed-memory trade-offs, see this article.

Brainpool Curve Performance

Why are NIST curves faster than Brainpool curves

The Brainpool curves use random primes, as opposed to the quasi-Mersenne primes used by the NIST curves. The result is that there is no fast reduction possible for the Brainpool curves. This has major consequences for the performance of the different curves.

Can't you optimize Brainpool curves to be as fast as the NIST curves?

Short answer: Unfortunately that is not possible.

The choice for Brainpool using random primes was a design decision, aimed at:

avoiding possible patent issues with fast reduction algorithms

avoiding potential security issues with non-random primes

Anyway, a Brainpool curve performance similar to the NIST curve performance is not going to happen.

Curve25519 support

High-performance alternatives which, like the Brainpool curves, cannot be suspected of malicious manipulation, are the curves/protocols designed by Bernstein & al, such as Curve25519 for key exchange and Ed25519 for signatures.

Unfortunately, they use slightly different data structures/representations than the other curves, so their use with TLS and PKIX is not standardized yet. We do support basic Curve25519 arithmetic and will implement its use in TLS / PKIX as soon as a standard is out. (We are actually taking an active part in creating such a standard.)